Summary

A vulnerability exists in the BIG-IP® Configuration Utility due to improper sanitization of the “Top Requested URLs” table on the Overview: Traffic page. Malicious content is not properly sanitized before being stored and is later returned to an administrator in dynamically generated web content. Remote attackers could leverage this vulnerability to conduct persistent cross-site scripting attacks. When a user navigates to the Overview: Traffic page within the BIG-IP Configuration Utility, the content of the “Top Requested URLs” table is loaded into the affected JavaScript array and is executed in the user’s browser session. Successful exploitation may aid an attacker in retrieving session cookies, stealing recently submitted data, or launching further attacks.